The function of automation technology is to automate technical processes. Broadly, an automated system consists of a technical system (plant) in which the process runs, an automation process, and operating personnel. The automated process may, by way of illustrative example, be a processing or manufacturing technology process or a process for generating or distributing electrical energy.
To plan and configure an automation solution the structure of the plant is, in a first step, normally recorded in a planning and engineering system by means of a corresponding software tool, and a flow diagram of the plant is then generated by linking graphical process objects using a plant planning tool. The process objects represent the operable and observable apparatus or devices of the plant, such for example as sensors, motors, pumps, valves, dosing equipment and controllers. Then, likewise using graphical objects, the hardware components of the automation system—such for example as automation devices (controllers), communication components, input/output modules and field devices—and the communication relationships between these components are configured and parameterized.
The graphical objects are typically contained in libraries as standard modules and are positioned and linked to one another by way of suitable editors on configuration interfaces in accordance with technological or automation technology considerations.
To establish whether this engineering of the automation solution has been successful, or to optimize it, test conditions can be predefined in a separate test tool and a simulation of the automation solution can be performed in a simulation tool under the predefined test conditions. In this manner the automation solution is emulated virtually in a simulated environment either wholly or partially by simulation models of the objects involved. The simulation tool generates signals for possible events and scenarios that may occur during operation of the plant. Such a simulation tool is known for example under the name SIMIT from Siemens AG.
The tools mentioned for plant planning, engineering, testing and simulation may be embodied individually or in combination.
Industrial automation systems have increasingly developed from originally proprietary, isolated systems into open architectures and standard technologies. As a consequence, the automation of processes in industrial plants also represents an IT (information technology) complex and infrastructure that is critical to security and is under increased susceptibility to cyber-attacks.
The future standard ISA99/IEC 62443 is concerned with the IT security of so-called “Industrial Automation and Control Systems” (IACS). The term IACS encompasses all components that are necessary for the reliable and fail-safe operation of an automated production plant. This firstly includes the networked hardware components of the automation solution such as, for example, controllers, firewalls, gateways, switches, SCADA systems or PC-based stations. A second aspect of IACS includes the organizational processes for fail-safe operation of the plant; these include process operation, internal chains of responsibility and escalation processes, as well as training for fail-safe operation.
A major contribution to the comprehensive protection of automation components, systems and plants against unauthorized access is provided not only by typical protection mechanisms such as firewalls or virtual private networks (VPN), but also by tools for proactive identification of attacks and other security-related deviations from a normal state or behavior, such for example as so-called SIEM (Security Information Event Management) systems.
A SIEM system generally unites the following two basic functionalities:                Security Event Management (SEM) collects security events in real time, evaluates them using correlations, and displays them in a structured manner on a SIEM console in a dashboard. The purpose of the evaluation is to identify, from individual events or from a pattern of multiple events, whether there is any indication of an attack or violation of the data security policies implemented in a plant. If any such indication is identified, then an alarm is generated and reported via the network or via other communication channels such as email or SMS to a suitable point, as for example an operator station.        Security Information Management (SIM) serves for the long-term archiving of captured security events, in order to enable a subsequent analysis, and for generating reports for use in demonstrating compliance with security guidelines and regulatory requirements.        
The creation of correlation rules in a SIEM system deployed in an automation plant depends heavily on the plant-specific network topology (including network segmentation and the communication relationships between individual components of the automation system) and the security events that may be generated in each case by the components deployed. This relates to very complex systems of rules and events, the behavior and effects of which on the overall behavior of the plant are not easy to predict. The cost of implementation is very high and testing for full functionality and coverage is not easy to achieve.
Individual commercial SIEM systems contain the functionality, in response to an identified security risk or a threat (e.g. a brute force attack or an impermissible CPU protection level change) or to an alarm as mentioned above, for performing further actions such as executing a batch file that may for example close a port or changing the configuration of a component of the automation system.
When deploying a SIEM system in an industrial plant, the active use of such extended functionality is however generally dispensed with, because the action triggered by the SIEM system can negatively impact the normal operation of the plant and could possibly result in endangering the process and/or human lives. In contrast, the residual alarm function leaves the plant operator, administrator or IT specialist the decision on a reasonable response to the current security issue. Yet because of the complexities involved, suitable actions of the plant operator and the resulting behavior of the plant cannot be determined and optimized until the plant is in operation. The danger then is that errors in the planned code of practice for response to critical security incidents cannot be identified or inappropriate actions by operating personnel cannot be prevented. There are quite simply insufficient opportunities for testing of the system in the context of the overall plant and plant management.
Published US Patent Application 2012/224057 discloses an alert enterprise system with a correlation engine, in which support of the convergence of information security is provided by access control and industrial control that communicates with a plurality of different systems and sources of technical and non-technical data and processes security-related data and information obtained therefrom for the purposes of identifying, evaluating and minimizing threats and risks and complying with and examining regulatory provisions. An alert enterprise simulation engine enables simulations and statistical analyses in order to identify, evaluate and minimize risks proactively.
The publication of A. Davis, “Developing SCADA Simulations with C2WindTunnel”, Master's Thesis, Vanderbilt University, Nashville, Tenn., May 1, 2011 (available on the Internet at http://etd.library.vanderbilt.edu/available/etd-04052011-071956/unrestricted/edt.pdf), describes the simulation of a SCADA system for monitoring and controlling a technical process. Because of the complexity of the SCADA system to be modeled and simulated, which includes the process to be controlled, field devices, a central controller and a network linking the field devices and the controller to one another, the simulation is performed on the basis of High-Level Architecture (HLA), in which the overall simulation, designated as a federation, is split into a plurality of distributed individual simulations, known as federates. The exchange of information between the individual simulations is coordinated and administered by the so-called runtime infrastructure (RTI). The individual simulations can be created by means of various suitable software tools or frameworks such as Simulink/MATLAB for the technical process and the controller or OMNeT++ for the network. A software platform called C2WindTunnel is used to coordinate the heterogeneous individual simulations and to generate the overall simulation. The C2WindTunnel platform uses the so-called Generic Modeling Environment (GME), a toolset for designing domain-specific models. To simulate a network attack, an attacker is added during the generation of the individual simulation(s) for the network, so that the attack and its effects on the SCADA system can be simulated in the context of the overall simulation.
A summary presentation can be found in Rohan Chabukswar et al, “Simulation of Network Attacks on SCADA Systems”, First Workshop on Secure Control Systems, CPSWeek, Stockholm, Sweden, Apr. 12, 2010 (available on the Internet at http://truststc.org/conferences/10/CPSWeek/presentations/Rohan%/20Chabukswar.pdf).